pf ruleset question
Mario Doria
madd at tecdigital.net
Sun Mar 21 22:40:00 PST 2004
Hi all,
I was reading a pf ruleset example at
http://www.openbsd.org/faq/pf/example1.html when I noticed this:
(1) pass in on $int_if from $int_if:network to any keep state
(2) pass out on $int_if from any to $int_if:network keep state
(3) pass out on $ext_if proto tcp all modulate state flags S/SA
(4) pass out on $ext_if proto { udp, icmp } all keep state
$int_if is the internal interface.
$ext_if is the external interface.
As I understand it, the rule (1) allows the internal network to communicate to
the firewall and to the outside world.
Rule (2) lets the firewall talk to the internal network.
Rule (3) lets traffic going out (tcp), but pf is first going to use a high
quality random sequence number for each connection.
Rule (4) lets protocols udp and icmp go out on the external interface.
Now the problem I see is:
from the pf.conf(5) man page:
" There are two caveats associated with state modulation: A modulate state
rule can not be applied to a pre-existing but unmodulated connection.
Such an application would desynchronize TCP's strict sequencing between
the two endpoints. Instead, pf(4) will treat the modulate state modifier
as a keep state modifier and the pre-existing connection will be inferred
without the protection conferred by modulation."
So, here rule (1) is the first rule that sees the connections coming from the
internal interface, and if you're doing NAT on the firewall, when your
packets go out to the world using rule (3), they would not benefit from the
modulate keyword. pf would treat the connection as a previously existing
connection and then it wouldn't be able to apply the modulate keyword.
I don't know if this is correct, I'm having doubts because I found this
example on the "official" FAQ for PF. Can anyone help me please?
Mario
More information about the freebsd-questions
mailing list